reprise99 / sentinel-queries Goto Github PK
View Code? Open in Web Editor NEWCollection of KQL queries
License: MIT License
sentinel-queries's People
Contributors
Stargazers
Watchers
Forkers
dave-007 kenmcf bonusland noblevarghese zha0 managedsentinel cbresponse richlilly2004 sgnls tommikallio frederikleed joeljerkin clivewatson blue-infosec ceyhuncamli meni0n sringler cybersecops adarshpandey-dev skirankumar digitalarche rafiinamdar-ops lukemurraynz pinkuto sentinelwarren ana7z joe0x5a neithersound poruchikrj sandytsang sunchippss jcahelpag baheddad maleroyfr f-bader jeff-jerousek ewells23 cloudguardai vektroi-d cudeso rhlgupta122 method1cal rod-trent tijan2018 para0056 kim-haymon-swi cdornele uakbr jcscott029 cloudynerds tech-save kuenni mikehk2 subedibibek-cmd infrawv cybersecurityni lostqueue invokethreatguy znb reelwillsmith kantravikumar d2na kraken8585 adamfebery cunicoa stayingahead mandyallstars davidspiper pthoor snoopopsec kramit noogleswafra bijaysenihang redamastouri johnjohnsp1 thomfre egcsec piuskozuki pencer-io fr33s0ul h0ffayyy 16rookie16 mhalberstam-encore mistersiddd dvi23 tmaides nse-bse hitem grbray atindermann arvindmits deanbrighton claudiafergus ulf78 kbrdwlkr synapticrumble haciz csabake kamrulshohag redluna44sentinel-queries's Issues
Query no longer works
Query no longer runs because AADSpnSignInEventsBeta no longer exists (ErrorCode and Timestamp are also invalid)
Comparison vs. Assigment
Hi.
File: "Data Management/Data-CalculatePercentageperTable.kql
Code:
Usage
| where TimeGenerated > ago(30d)
| where IsBillable = true
...
Correction:
| where IsBillable == true
Best regards.
issue updated
Suggestion: changes to /Active Directory/SecurityEvent-IACFlagParser.kql
I changed /Active Directory/SecurityEvent-IACFlagParser.kql to look up the values from a table exported from msjobjs.dll and add the TimeGenerated to the output. (Without TimeGenerated it'd just return one entry with e.g. both "Account Enabled" and "Account Disabled".)
It seems too much for a PR, but if you want I'm happy to submit one with all or part of it. Ideally we'd use getexternaldata with a CSV instead of defnining a table, but I couldn't find one readily available.
// Parser to retrieve the values from User Account Control and generate friendly names
// Based on https://github.com/reprise99/Sentinel-Queries/blob/main/Active%20Directory/SecurityEvent-UACFlagParser.kql
let uacmap = datatable (index: string, description: string) [
"2048", "Account Enabled",
"2049", "'Home Directory Required' - Disabled",
"2050", "'Password Not Required' - Disabled",
"2051", "'Temp Duplicate Account' - Disabled",
"2052", "'Normal Account' - Disabled",
"2053", "'MNS Logon Account' - Disabled",
"2054", "'Interdomain Trust Account' - Disabled",
"2055", "'Workstation Trust Account' - Disabled",
"2056", "'Server Trust Account' - Disabled",
"2057", "'Don't Expire Password' - Disabled",
"2058", "Account Unlocked",
"2059", "'Encrypted Text Password Allowed' - Disabled",
"2060", "'Smartcard Required' - Disabled",
"2061", "'Trusted For Delegation' - Disabled",
"2062", "'Not Delegated' - Disabled",
"2063", "'Use DES Key Only' - Disabled",
"2064", "'Don't Require Preauth' - Disabled",
"2065", "'Password Expired' - Disabled",
"2066", "'Trusted To Authenticate For Delegation' - Disabled",
"2067", "'Exclude Authorization Information' - Disabled",
"2068", "'Undefined UserAccountControl Bit 20' - Disabled",
"2069", "'Protect Kerberos Service Tickets with AES Keys' - Disabled",
"2070", "'Undefined UserAccountControl Bit 22' - Disabled",
"2071", "'Undefined UserAccountControl Bit 23' - Disabled",
"2072", "'Undefined UserAccountControl Bit 24' - Disabled",
"2073", "'Undefined UserAccountControl Bit 25' - Disabled",
"2074", "'Undefined UserAccountControl Bit 26' - Disabled",
"2075", "'Undefined UserAccountControl Bit 27' - Disabled",
"2076", "'Undefined UserAccountControl Bit 28' - Disabled",
"2077", "'Undefined UserAccountControl Bit 29' - Disabled",
"2078", "'Undefined UserAccountControl Bit 30' - Disabled",
"2079", "'Undefined UserAccountControl Bit 31' - Disabled",
"2080", "Account Disabled",
"2081", "'Home Directory Required' - Enabled",
"2082", "'Password Not Required' - Enabled",
"2083", "'Temp Duplicate Account' - Enabled",
"2084", "'Normal Account' - Enabled",
"2085", "'MNS Logon Account' - Enabled",
"2086", "'Interdomain Trust Account' - Enabled",
"2087", "'Workstation Trust Account' - Enabled",
"2088", "'Server Trust Account' - Enabled",
"2089", "'Don't Expire Password' - Enabled",
"2090", "Account Locked",
"2091", "'Encrypted Text Password Allowed' - Enabled",
"2092", "'Smartcard Required' - Enabled",
"2093", "'Trusted For Delegation' - Enabled",
"2094", "'Not Delegated' - Enabled",
"2095", "'Use DES Key Only' - Enabled",
"2096", "'Don't Require Preauth' - Enabled",
"2097", "'Password Expired' - Enabled",
"2098", "'Trusted To Authenticate For Delegation' - Enabled",
"2099", "'Exclude Authorization Information' - Enabled",
"2100", "'Undefined UserAccountControl Bit 20' - Enabled",
"2101", "'Protect Kerberos Service Tickets with AES Keys' - Enabled",
"2102", "'Undefined UserAccountControl Bit 22' - Enabled",
"2103", "'Undefined UserAccountControl Bit 23' - Enabled",
"2104", "'Undefined UserAccountControl Bit 24' - Enabled",
"2105", "'Undefined UserAccountControl Bit 25' - Enabled",
"2106", "'Undefined UserAccountControl Bit 26' - Enabled",
"2107", "'Undefined UserAccountControl Bit 27' - Enabled",
"2108", "'Undefined UserAccountControl Bit 28' - Enabled",
"2109", "'Undefined UserAccountControl Bit 29' - Enabled",
"2110", "'Undefined UserAccountControl Bit 30' - Enabled",
"2111", "'Undefined UserAccountControl Bit 31' - Enabled"
];
SecurityEvent
| where isnotempty(UserAccountControl) and UserAccountControl != "-"
| where AccountType == "User"
| extend x = extract_all(@"([0-9]{4})", UserAccountControl)
| mv-expand x
| extend x = tostring(x)
| join kind=leftouter (uacmap)
on $left.x == $right.index
| project TargetAccount, UserAccountControl, description, TimeGenerated, Account
| summarize AccountChanges=make_list(description, 50) by TargetAccount, TimeGenerated, Account
| order by TimeGenerated ascLicensing Policy for the repository
Hi,
What is the licensing policy for the repository? Is it okay to use it for education purpose for training text to KQL model
Thanks
Shashank
updated updated issues
Help
Have a question, need to query :
[email protected] added users to groups in AAD between ( some days )
- what are the users name
- to which group he added them
View the information In the following table:
Result (succeed or not)
Group Display Name
Target User
Suggestion
May I please suggest an addition to Identity-DailySummaryofUsersAddedtoAADGroups.kql
It would be useful to include the server the addition occurred on, as well as the administrator who performed the action.
For your consideration.
Azure queries
filter out legitimate Telemetry traffic to avoid false posiitves
add line:
| where RemoteUrl !endswith ".visualstudio.com" and RemoteUrl !endswith ".microsoft.com"
Sentinel-Queries/Office 365/OfficeActivity-NewTeamsAppInstalled.kql join type incorrect?
Ran the query against data in my environment, and the join type appears to be incorrect. Should be rightsemi.
Sentinel-Queries/Azure Active Directory/Identity-AADRiskEventCorrelation.kql
Hello,
First of all, i love every single letter you have written so far. Its greatly appreciated in my learning of KQL! :)
Anyways, i tried this one today (Sentinel-Queries/Azure Active Directory/Identity-AADRiskEventCorrelation.kql) in a fully licensed tenant and get error:
Ive used the code as is and maybe im missing something. But incase not id let you know! :)
thank you very much.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.