• Defender
    • User Logged In With Local Admin Rights “DeviceLogonEvents | where IsLocalAdmin == 1 | where AccountName !in (”daronberg-a“,”esomar-a“,”pmoshiryzavieh-a“,”gwerner-a“,”svcinsightvm“) | extend locallogon = extractjson(”$.IsLocalLogon“,AdditionalFields, typeof(string)) | project Timestamp , DeviceName, AccountDomain, AccountName, LogonType, ActionType, locallogon, ReportId, DeviceId, AccountSid | sort by Timestamp”
    • An IT Admin Established Privileged Connection to a Computer “DeviceLogonEvents | where IsLocalAdmin == 1 | where AccountName !in (”daronberg-a“,”esomar-a“,”pmoshiryzavieh-a“,”gwerner-a“,”svcinsightvm“) | extend locallogon = extractjson(”$.IsLocalLogon“,AdditionalFields, typeof(string)) | project Timestamp , DeviceName, AccountDomain, AccountName, LogonType, ActionType, locallogon, ReportId, DeviceId, AccountSid | sort by Timestamp”
    • A Non-IT -A User Established a Privileged Connection to a Computer “DeviceLogonEvents | where IsLocalAdmin == 1 | where AccountName !in (”shall-a“,”bschonhaut-a“,”pmoshiryzavieh-a“,”jshashaty-a“,”esomar-a“,”daronberg-a“,”svcinsightvm“) | extend locallogon = extractjson(”$.IsLocalLogon“,AdditionalFields, typeof(string)) | project Timestamp , DeviceName, AccountDomain, AccountName, LogonType, ActionType, locallogon, ReportId, DeviceId, AccountSid | sort by Timestamp”
  • Sentinel

    • PowerShell “Successful/Failed Logon”

      • Failed PowerShell Logon “SigninLogs | where Status.errorCode != 0 | where AppDisplayName ==”Microsoft Azure PowerShell" | extend EDT = datetime_utc_to_local(TimeGenerated, “US/Eastern”) | extend City=LocationDetails.city, State=LocationDetails.state, Country=LocationDetails.countryOrRegion, Error_Code=Status.errorCode, Failure_Reason=Status.failureReason, OS=DeviceDetail.operatingSystem, EventId=Id //Success=AuthenticationDetails.authenticationStepResultDetail | project TimeGenerated, EDT, UserPrincipalName, AppDisplayName, IPAddress, City, State, Country, AuthenticationRequirement, Failure_Reason, ConditionalAccessStatus, ConditionalAccessPolicies, Error_Code, UserAgent, ResourceDisplayName, EventId, ResultDescription, UserDisplayName Alert grouping Disabled "

        Rule frequency Run query every 10 minutes

        Rule period Last 10 minutes data

        Rule threshold Trigger alert if query returns more than 10 results

        Event grouping Group all events into a single alert

        Suppression Not configured

        Create incidents from this rule Enabled

      • Successful PowerShell Logon “SigninLogs | where Status.errorCode == 0 | where AppDisplayName ==”Microsoft Azure PowerShell" | extend EDT = datetime_utc_to_local(TimeGenerated, “US/Eastern”) | extend City=LocationDetails.city, State=LocationDetails.state, Country=LocationDetails.countryOrRegion, Error_Code=Status.errorCode, Failure_Reason=Status.failureReason, OS=DeviceDetail.operatingSystem, EventId=Id //Success=AuthenticationDetails.authenticationStepResultDetail | project TimeGenerated, EDT, UserPrincipalName, AppDisplayName, IPAddress, City, State, Country, AuthenticationRequirement, Failure_Reason, ConditionalAccessStatus, ConditionalAccessPolicies, Error_Code, UserAgent, ResourceDisplayName, EventId, ResultDescription, UserDisplayName Alert grouping Disabled "

        Rule frequency Run query every 1 hour

        Rule period Last 1 hour data

        Rule threshold Trigger alert if query returns more than 0 results

        Event grouping Group all events into a single alert

        Suppression Not configured

        Create incidents from this rule Enabled

    • Unusual Country “Successful/Failed Logon”

      • Successful Login from Unusual Country “SigninLogs | where Status.errorCode == 0 | where Location !=”US" and Location != “GB” and Location != “FR” and Location != “CA” and Location != “ES” and Location != “AE” | extend City=LocationDetails.city, State=LocationDetails.state, Country=LocationDetails.countryOrRegion, Error_Code=Status.errorCode, Failure_Reason=Status.failureReason, OS=DeviceDetail.operatingSystem, EventId=Id //Success=AuthenticationDetails.authenticationStepResultDetail | extend EDT = datetime_utc_to_local(TimeGenerated, “US/Eastern”) | project TimeGenerated, EDT, UserPrincipalName, AppDisplayName, IPAddress, City, State, Country, AuthenticationRequirement, Failure_Reason, ConditionalAccessStatus, ConditionalAccessPolicies, Error_Code, UserAgent, ResourceDisplayName, EventId, ResultDescription, UserDisplayName Alert grouping Disabled "

        Rule frequency Run query every 30 minutes

        Rule period Last 30 minutes data

        Rule threshold Trigger alert if query returns more than 0 results

        Event grouping Trigger an alert for each event

        Suppression Not configured

        Create incidents from this rule Enabled

      • Failed Logon Attempt from Unusual Country “SigninLogs | where Status.errorCode != 0 | where Location !=”US" and Location != “GB” and Location != “FR” and Location != “CA” and Location != “AE” | extend EDT = datetime_utc_to_local(TimeGenerated, “US/Eastern”) | extend City=LocationDetails.city, State=LocationDetails.state, Country=LocationDetails.countryOrRegion, Error_Code=Status.errorCode, Failure_Reason=Status.failureReason, OS=DeviceDetail.operatingSystem, EventId=Id //Success=AuthenticationDetails.authenticationStepResultDetail | project TimeGenerated, EDT, UserPrincipalName, AppDisplayName, IPAddress, City, State, Country, AuthenticationRequirement, Failure_Reason, ConditionalAccessStatus, ConditionalAccessPolicies, Error_Code, UserAgent, ResourceDisplayName, EventId, ResultDescription, UserDisplayName Grouping period Match from the last 5 hours "

        Rule frequency Run query every 10 minutes

        Rule period Last 10 minutes data

        Rule threshold Trigger alert if query returns more than 10 results

        Event grouping Group all events into a single alert

        Suppression Not configured

        Create incidents from this rule Enabled

        Alert grouping Enabled

        Grouping logic Match all entities

    • Local Group “User Added/Removed”

      • User Added to Local Group “DeviceEvents | where ActionType ==”UserAccountAddedToLocalGroup" | extend EDT = datetime_utc_to_local(TimeGenerated, “US/Eastern”) | extend Group = AdditionalFields.GroupName | extend Account = InitiatingProcessAccountName | project EDT, ActionType, Group, DeviceName, Account Alert grouping Disabled "

        Rule frequency Run query every 15 minutes

        Rule period Last 15 minutes data

        Rule threshold Trigger alert if query returns more than 0 results

        Event grouping Trigger an alert for each event

        Suppression Not configured

        Create incidents from this rule Enabled

      • User Removed From Local Group “DeviceEvents | where ActionType ==”UserAccountRemovedFromLocalGroup" | extend EDT = datetime_utc_to_local(TimeGenerated, “US/Eastern”) | extend Group = AdditionalFields.GroupName | extend Account = InitiatingProcessAccountName | project EDT, ActionType, Group, DeviceName, Account Alert grouping Disabled "

        Rule frequency Run query every 1 hour

        Rule period Last 1 hour data

        Rule threshold Trigger alert if query returns more than 0 results

        Event grouping Trigger an alert for each event

        Suppression Not configured

        Create incidents from this rule Enabled

    • Silent Log Alarm “SignInLogs | DeviceEvents”

      • SignInLogs "SigninLogs | summarize count() | where count_ == 0 Alert grouping Disabled "

        Rule frequency Run query every 4 hours

        Rule period Last 4 hours data

        Rule threshold Trigger alert if query returns more than 0 results

        Event grouping Group all events into a single alert

        Suppression Not configured

        Create incidents from this rule Enabled

      • DeviceEvents "DeviceEvents | summarize count() | where count_ == 0 Alert grouping Disabled "

        Rule frequency Run query every 4 hours

        Rule period Last 4 hours data

        Rule threshold Trigger alert if query returns more than 0 results

        Event grouping Group all events into a single alert

        Suppression Not configured

        Create incidents from this rule Enabled

    • Account Lockout “Locked Account | Failed Device Logon Due to Locked Account”

      • Locked Account “IdentityLogonEvents | where FailureReason ==”AccountLocked" | extend EDT = datetime_utc_to_local(TimeGenerated, “US/Eastern”) | extend AttackTechniques = tostring(AdditionalFields.AttackTechniques) | extend Count = tostring(AdditionalFields.Count) | project EDT, AccountName, FailureReason, AccountDomain, AccountUpn, AccountDisplayName, DeviceName, Application, LogonType, Protocol, IPAddress, Port, DestinationIPAddress, DestinationPort, TargetDeviceName, ISP, AttackTechniques, Count | summarize count() by AccountUpn, DeviceName, Application, LogonType, IPAddress, DestinationIPAddress, TargetDeviceName, ISP Grouping period Match from the last 15 minutes "

        Rule frequency Run query every 15 minutes

        Rule period Last 15 minutes data

        Rule threshold Trigger alert if query returns more than 0 results

        Event grouping Group all events into a single alert

        Suppression Not configured

        Create incidents from this rule Enabled

        Alert grouping Enabled

        Grouping logic Match all entities

      • Failed Device Logon Due to Locked Account “DeviceLogonEvents | where ActionType ==”LogonFailed" | where FailureReason == “AccountLocked” Grouping period Match from the last 15 minutes "

        Rule frequency Run query every 15 minutes

        Rule period Last 15 minutes data

        Rule threshold Trigger alert if query returns more than 0 results

        Event grouping Trigger an alert for each event

        Suppression Not configured

        Create incidents from this rule Enabled

        Alert grouping Enabled

        Grouping logic Match all entities

    • Risky User Detected “AADRiskyUsers | extend EDT = datetime_utc_to_local(TimeGenerated,”US/Eastern“) | extend RiskLastUpdatedTimeEDT = datetime_utc_to_local(RiskLastUpdatedDateTime,”US/Eastern") | project EDT, TimeGenerated, RiskDetail, RiskLastUpdatedTimeEDT, RiskLevel, RiskState, UserDisplayName, UserPrincipalName, OperationName, CorrelationId, Type, Id Alert grouping Disabled "

      Rule frequency Run query every 4 hours

      Rule period Last 4 hours data

      Rule threshold Trigger alert if query returns more than 0 results

      Event grouping Trigger an alert for each event

      Suppression Not configured

      Create incidents from this rule Enabled

    • Mass Download/Upload by a single user “CloudAppEvents | where AccountDisplayName ==”Robert Brenner" | where ActionType == “FileDownloaded” | project TimeGenerated, ObjectName, UserAgent, ISP, CountryCode, IsAnonymousProxy, IPAddress, OSPlatform, Application"

    • Darktrace