Last active
June 23, 2021 20:47
-
-
Save 0xffhh/9d3d0621f4204e9e1915dea3ebff10c7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| SecurityEvent | |
| | where TimeGenerated >= ago(14d) | |
| | where EventID == 4768 | |
| | project TimeGenerated, Computer, TargetAccount, EventData=parse_xml(EventData) | |
| | mv-apply d=EventData.EventData.Data on | |
| ( | |
| where d["@Name"]=="CertIssuerName" | |
| | project CIN=tostring(d["#text"]) | |
| ) | |
| | where not(isempty(CIN)) | |
| //In my prod, I'm seeing a lot of certs starting with a sid and containing live.com. Comment out the next line if you have that as well. | |
| //| where not(CIN startswith "S-1-") | |
| //If you're seeing significant amount of machine accounts, might be due to 802.1X or SCCM. https://twitter.com/MagnusMOD/status/1407800853088591872?s=20. The following line allows you to filter out all endpoints. This does introduce a blindspot. + you need a custom function which provides data about (on-prem) ad machined. Alternatively, you can use DeviceInfo, if you're ingesting that data from MDE. | |
| //| parse CIN with "CN=" MachineName | |
| //| join kind=leftouter MyCustomLookupFunction on $left.MachineName == $right.CN | |
| //| where not(OperatingSystem startswith "Windows 10") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment