Jul 08 2021 09:18 AM
Looking to generate a KQL query or Analytics rule to identify 'Multiple failed user logon attempts' from Windows PCs only and the user is classified as 'non-privileged'.
Just looking for the most effective way to define a 'non-privileged' user from either security alerts/events and/or AAD related logs.
Any best practice advice welcomed.
Jul 08 2021 10:42 PM
Jul 09 2021 06:53 AM
Hello @m_zorich.
Thank you very much for the reply. It is very much appreciated.
The reason for searching for 'non-privileged' status is to identify those logging onto resources that are short of permissions or privilege. Also the list of privileged users is smaller.
Ideally I want to review the EventID == 4625 from SecurityEvent where I can then 'join' or 'union' those failed user logons (account) against a(n) user (account record) that can identify if they are a privileged user or not.
So for a user (account) entity is there a property that can 'state' if a user has privileged status, OR if they are NOT a member of a privileged access group, OR a member added to a security enabled group (EventIDs in "4728", "4732", or "4756") ?
So a simple starting point for failed logons being:
SecurityEvent
| where TimeGenerated >= ago(1d)
| where EventID == 4625
| summarize FailedLogons=count() by Account, Computer
| sort by FailedLogons desc
I will of course look at your links, but any further feedback to the questions I ask, would be very much welcomed.
Jason
Jul 09 2021 04:22 PM
Jul 11 2021 01:32 AM
Jul 11 2021 04:20 AM
Jul 13 2021 01:22 AM
Jul 13 2021 02:57 AM
Jul 13 2021 06:18 AM
Jul 13 2021 05:44 PM
Jul 17 2021 06:18 AM
Hi again @m_zorich,
After speaking to the client, due to where 'privileged' users are located, and to simplify the solution a little (no reference to MS Graph for the moment), an array with known privileged access groups will be used.
The array will contain each AAD Object Group's ID, that will be 'looped' through to obtain 'member' data.
So the 'initial' Logic App design includes the following (with highlighted area still to be resolved; struggling with):
* Apply Recurrence 'pattern'
* Initialise Variable GroupIDs (array type)
* Add GroupIDs to 'array'
* Parse JSON (of GroupID)
* Of Body returned, FIRST For Each (Return 'Group Members')
* For Each (Group Member)
* //NEED TO TEST 'IF' GROUP MEMBER HAS ALREADY BEEN ADDED TO WATCHLIST
* //HOW IS IT BEST TO QUERY ON THIS? - Account below represents Group Member
* ?// _GetWatchlist('PrivilegedUsers')
* ?// | extend AccountID = tostring(parse_json(WatchlistItem).AccountID)
* ?// | where AccountID == "@{items('For_each')?['Account']}"
* //OR
* ?// let PrivilegedUsers = (_GetWatchlist('PrivilegedUsers') | project AccountID);
* ?// | where Account !in (PrivilegedUsers)
* ?// | summarize AccountFound=count() by Account
* //Apply condition statement of:
* ?//If AccountID 'LENGTH' = 0
* //OR
* ?//If AccountFound 'COUNT' = 0
* Compose (input content for WATCHLIST; being AccountID : Account)
* Apply action: Watchlists - Add a new watchlist item
So the outstanding question I have is, how can I see if the account exists in the Watchlist and only add it if it doesn’t exist?
Of the watchlist, I initially pre-created it with only the 'HEADERS' and no items.
Jason
Jul 19 2021 03:46 AM
SolutionJul 29 2021 02:37 AM
Jul 19 2021 03:46 AM
Solution