Blog Post

Microsoft Defender for Cloud Blog
3 MIN READ

Notable Events in Azure Security Center

YuriDiogenes's avatar
YuriDiogenes
Icon for Microsoft rankMicrosoft
Mar 04, 2018

Security Center uses the Microsoft Monitoring Agent to collect various security related configurations and events from your machines and stores these events in your workspace(s). Examples of such data are: operating system logs (Windows event logs), running processes, and events from security solutions integrated with Security Center. The built-in notable events are:

 

Distinct malicious IP addresses accessed
union isfuzzy=true (WireData | where Direction == 'Outbound'), (WindowsFirewall | where CommunicationDirection == 'SEND'), (CommonSecurityLog | where CommunicationDirection == 'Outbound') | where isnotempty(MaliciousIP) | summarize by MaliciousIP

 

Computers with detected threats
ProtectionStatus | summarize (TimeGenerated, ThreatStatusRank) = argmax(TimeGenerated, ThreatStatusRank) by Computer | where ThreatStatusRank > 199 and ThreatStatusRank != 470

 

Computer with guest account logons
SecurityEvent | where EventID == 4624 and TargetUserName == 'Guest' and LogonType in (10, 3) | summarize count() by Computer

 

High priority Active Directory assessment security recommendations
let schemaColumns = datatable(TimeGenerated:datetime, RecommendationId:string)[]; union isfuzzy=true schemaColumns, (ADAssessmentRecommendation | where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore>=35) | summarize arg_max(TimeGenerated, *) by RecommendationId

 

High priority SQL assessment security recommendations

let schemaColumns = datatable(TimeGenerated:datetime, RecommendationId:string)[]; union isfuzzy=true schemaColumns, (SQLAssessmentRecommendation | where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore>=35) | summarize arg_max(TimeGenerated, *) by RecommendationId

 

Members added To security-enabled groups

SecurityEvent | where EventID in (4728, 4732, 4756) | summarize count() by SubjectAccount

 

Domain security policy changes

SecurityEvent | where EventID == 4739 | summarize count() by DomainPolicyChanged

 

Computers with system audit policy changes

SecurityEvent | where EventID == 4719 | summarize count() by Computer

 

Suspicious executables

SecurityEvent | where EventID == 8002 and Fqbn == '-' | summarize ExecutionCountHash=count() by FileHash | where ExecutionCountHash <= 5

 

Computers missing critical updates

Update | where UpdateState == 'Needed' and Optional == false and Classification == 'Critical Updates' and Approved != false | summarize count() by Computer

 

Low priority AD assessment security recommendations

let schemaColumns = datatable(TimeGenerated:datetime, RecommendationId:string)[]; union isfuzzy=true schemaColumns, (ADAssessmentRecommendation | where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore<35) | summarize arg_max(TimeGenerated, *) by RecommendationId

 

Low priority SQL assessment security recommendations

let schemaColumns = datatable(TimeGenerated:datetime, RecommendationId:string)[]; union isfuzzy=true schemaColumns, (SQLAssessmentRecommendation | where FocusArea == 'Security and Compliance' and RecommendationResult == 'Failed' and RecommendationScore<35) | summarize arg_max(TimeGenerated, *) by RecommendationId

 

Accounts failed to log on

SecurityEvent | where EventID == 4625 | summarize count() by TargetAccount

 

Locked accounts

SecurityEvent | where EventID == 4740 | summarize count() by TargetAccount

 

Change or reset passwords attempts

SecurityEvent | where EventID in (4723, 4724) | summarize count() by TargetAccount

 

Security groups created or modified

SecurityEvent | where EventID in (4727, 4731, 4735, 4737, 4754, 4755) | summarize count() by TargetAccount

 

Remote procedure call(RPC) attempts

SecurityEvent | where EventID == 5712 | summarize count() by Computer

 

User accounts created or enabled

SecurityEvent | where EventID in (4720, 4722) | summarize by TargetAccount

 

Computers with users added to a Linux group

Syslog | where Facility == 'authpriv' and SyslogMessage has 'to group' and (SyslogMessage has 'add' or SyslogMessage has 'added') | summarize by Computer

 

Computers with new Linux group created
Syslog | where Facility == 'authpriv' and SyslogMessage has 'new group' | summarize count() by Computer

 

Computers with failed Linux user password change
Syslog | where Facility == 'authpriv' and ((SyslogMessage has 'passwd:chauthtok' and SyslogMessage has 'authentication failure') or SyslogMessage has 'password change failed') | summarize count() by Computer

 

Computers with failed ssh logons
Syslog | where (Facility == 'authpriv' and SyslogMessage has 'sshd:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and ((SyslogMessage has 'Failed' and SyslogMessage has 'invalid user' and SyslogMessage has 'ssh2') or SyslogMessage has 'error: PAM: Authentication failure')) | summarize count() by Computer

 

Computers with failed su logons
Syslog | where (Facility == 'authpriv' and SyslogMessage has 'su:auth' and SyslogMessage has 'authentication failure') or (Facility == 'auth' and SyslogMessage has 'FAILED SU') | summarize count() by Computer

 

Computers with failed sudo logons
Syslog | where (Facility == 'authpriv' and SyslogMessage has 'sudo:auth' and (SyslogMessage has 'authentication failure' or SyslogMessage has 'conversation failed')) or ((Facility == 'auth' or Facility == 'authpriv') and SyslogMessage has 'user NOT in sudoers') | summarize count() by Computer

 

 

Distinct clients resolving malicious domains
let schemaColumns = datatable(ClientIP:string)[]; union isfuzzy=true schemaColumns, (DnsEvents | where SubType == 'LookupQuery' and isnotempty(MaliciousIP)) | summarize count() by ClientIP

 

Computers with web vulnerabilities
SecurityBaselineSummary | where PercentageOfPassedRules < 100 and BaselineType == "Web" | summarize count() by Computer

 

You can create your own notable event, and add on top of the built-in ones. Read Creating Custom Notable Event in Azure Security Center for more information on that. Notable events can also appear as contextual information in a Security Incident, read Exploring Notable Events in Security Incidents for more information on that.

Updated Oct 06, 2021
Version 3.0
No CommentsBe the first to comment